Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Claims contain an instance of java.net.URL and are used in hash-based containers #10673

Closed
jyrimatti opened this issue Dec 31, 2021 · 4 comments
Closed

Claims contain an instance of java.net.URL and are used in hash-based containers #10673

jyrimatti opened this issue Dec 31, 2021 · 4 comments
Assignees
@jyrimatti
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: breaks-passivity A change that breaks passivity with the previous release
Milestone
6.0.0-M6

Comments

@jyrimatti
Copy link
Contributor

Hi,

class org.springframework.security.oauth2.core.user.OAuth2UserAuthority includes its attributes for the calculation of hashCode and equals.
In case of org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority extends OAuth2UserAuthority those attributes come from org.springframework.security.oauth2.core.oidc.OidcIdToken and org.springframework.security.oauth2.core.oidc.OidcUserInfo via org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority.collectClaims(OidcIdToken, OidcUserInfo) function. It seems that due to https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenDecoderFactory.java#L101 whenever (always?) the claims contain a org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.ISS, it is there as an instance of class java.net.URL.

This is a problem, since due to historical reasons, URL performs DNS lookups whenever its equals/hashCode is used. Instances of URL must not be used in any containers requiring use of equals/hashCode.

A simple solution would be to change it to be an instance of java.net.URI. Would this break something? I didn't craft a pull request since I have no idea if this kind of change would be a major breaking change for spring-security...?
@jyrimatti jyrimatti added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 31, 2021
@marcusdacoregio marcusdacoregio added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 4, 2022
@jgrandja jgrandja added this to the 6.0.x milestone Mar 17, 2022
@jgrandja jgrandja added type: breaks-passivity A change that breaks passivity with the previous release and removed type: bug A general bug labels Mar 17, 2022
@jgrandja
Copy link
Contributor

Thanks for the report @jyrimatti. This will be a breaking change so I've scheduled it for 6.0.x.

I think the required change is to ensure the Map returned from OidcUserAuthority.collectClaims() replaces all URL values with URL.toExternalForm().

Would you be interested in submitting a PR for this?

@jyrimatti
Copy link
Contributor Author

Yes, sure, I can submit one.

Just to make sure: Are you certain this fix is enough? java.net.URL is not deprecated and I guess it's never going to be, but as https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4434494 says:

People are encouraged to use URI for parsing and URI comparison, and leave URL class for accessing the URI itself, getting at the protocol handler, interacting with the protocol etc.

Thus, another possibility (?) would be to change createDefaultClaimTypeConverters methods in OidcIdTokenDecoderFactory and ReactiveOidcIdTokenDecoderFactory to use an uriConverter (or stringConverter if String is wanted) instead of urlConverter for IdTokenClaimNames.ISS.

@jgrandja
Copy link
Contributor

jgrandja commented Mar 25, 2022
edited
Loading

@jyrimatti Take a look at the OpenID Connect Core 1.0 spec, in section 2. ID Token:

iss
REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

The iss is a URL so URL OidcIdToken.getIssuer() is correct and no changes are required in OidcIdTokenDecoderFactory or ReactiveOidcIdTokenDecoderFactory.

The only change required is what I proposed in previous comment - either URL.toExternalForm() OR convert to URI.

Another possible solution is to change the OAuth2UserAuthority.equals() and OAuth2UserAuthority.hashCode() methods to iterate over this.getAttributes() and do the conversion there instead. I think I like this option best.

@jyrimatti jyrimatti mentioned this issue Mar 25, 2022
Closed
@jyrimatti
Copy link
Contributor Author

Ok, sure.
Made a PR: #11030
Please let me know if there's something I can improve!

jyrimatti added a commit to jyrimatti/spring-security that referenced this issue May 28, 2022
@jyrimatti
Treat URLs as String before equals/hashcode
5a1e80f 
java.net.URL performs DNS lookups whenever its equals/hashCode is
used. Thus attribute values of type java.net.URL need to be converted
to something else before they are used for equals/hashCode.
Closes spring-projectsgh-10673
@jgrandja jgrandja modified the milestones: 6.0.x, 6.0.0-M6 Jun 3, 2022
@jgrandja jgrandja assigned jyrimatti and unassigned jgrandja Jun 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jyrimatti jyrimatti

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: breaks-passivity A change that breaks passivity with the previous release
Projects
None yet
Milestone
6.0.0-M6
Development

Successfully merging a pull request may close this issue.

Convert URLs to String before equals/hashcode jyrimatti/spring-security
3 participants
@jyrimatti @jgrandja @marcusdacoregio